![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 79%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
979 questions
Hello, The KQL you need would be this, its part of the SecurityAlert NOT the SecurityIncident - which may help you find the api?
Specifically the value of Search_Query_Results_Overall_Count_ matches "Events"
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend Search_Query_Results_Overall_Count_ = tostring(parse_json(ExtendedProperties).["Search Query Results Overall Count"])
| summarize AlertCount=dcount(SystemAlertId) by SystemAlertId, Search_Query_Results_Overall_Count_
) on $left.AlertIds == $right.SystemAlertId
| project IncidentNumber, AlertCount, Search_Query_Results_Overall_Count_